To protect and serve

Paul Wright Paul Wright is a detective sergeant with the City of London Police. He was previously seconded to the National Hi-Tech Crime Unit as an operational team leader and as a career detective he has spent the last 10 of his 25 years service specialising in internet, network and forensic investigations, at a local, national and international level. Henry Tucker spoke to him about his work.

Since January 2004 Paul has been in charge of the Hi-Tech Crime Team in the City of London. In this role he is responsible for the day to day running of the team and for the implementation of the forces outreach programme to the financial sector.

This e-crime strategy involves giving presentations to a wide range of business organisations and at the same time actively encourages the flow of information between the private sector and law enforcement regarding hi-tech and e-crime. Along with a number of IT and computer forensic qualifications, he holds a master of science in professional computing, is an associate of the Institute of Information Security Professionals, and is also a regular lecturer on computer forensics, hi-tech and e-crime at a number of universities and colleges.

What is your workload like? And what is your role in managing that workload?

All over the globe more and more instances of hi-tech and e-crime are being investigated by law enforcement agencies and other investigative bodies. Along with this increase in workload has come the realisation that crimes involving computers; either as the target of offending, or as one of a range of tools, or the principal tool used in the commission of offences, are technically difficult to investigate and raise many practical problems. One of my main roles is to solve those problems and anticipate as many of them as I possible can.

What challenges are there now? And where strategically can we respond to these in the future?

There are major challenges facing the world of information security, incident response and computer forensics in how best to understand and deal with the complex and dynamic developments in the ever-evolving world of the internet and digital information. If we do not invest in the skills necessary to police this ever-changing environment, we will have to contend with playing catch-up in understanding how new technologies are associated with traditional and new crimes.

As a forensic science we need to continually seek cost effective ways in which to deal with digital and electronic investigations involving IT abuse and hi-tech crimes. To achieve this we need to commit to training that allows for regular updates, commit to adequate funding and combine it with a commitment to quality. There is also a need to acknowledge the importance of the work, whilst at the same time trying to get others to understand the issues and difficulties associated with it. In your experience, are criminals becoming better informed about computer forensics procedures?

How will these skills be used criminally in the future?

Organised crime and criminals do not stand still and the history of crime trends shows how they have transcended different crimes.

Now we have offences like counterfeit pharmaceuticals and e-fraud being committed via the internet: 1 kilo of active ingredient $70, makes 14,000 tablets. These are then sold for $10 a tablet which will make $140,000 In addition they are becoming aware the cyber-criminals, more than any other global crime gangs are becoming faster and more flexibility in ways to deal with data compromise challenges and avoiding the existing rules, regulations and legislation. It can, and is, perpetrated from anywhere in the world against any computer.

Therefore criminals do attempt to camouflage their methodology but not necessarily because they have become aware of forensic procedures. Those that advocate such awareness tend to have the tools, but not the know-how or the inclination to use them. However, I do believe that this trend will change, but the changes will vary in speed dependent on the type of abuse or crime.

The future, as well as the awareness and use of anti-forensic tools, I see more and more computer literate criminals being sent to prison, in particular hackers and paedophiles, a number of whom have a very good knowledge in the use of sophisticated computer and internet techniques. The upper echelons of the criminal fraternity will exploit these skills to their own ends, for example the drug dealer who wants an untraceable and anonymous communication network.

What is the most rewarding part of your job? What aspect of your job do you find most challenging?

Beside the rescuing of children from harm, the most rewarding part is trying to establish multidisciplinary partnerships between academia, industry and law enforcement, in order that we can work together on emerging problems within ecommerce, e-discovery, e-crime prevention, hi-tech and IT enabled abuse.

Trying to ensure that any such combined effort produces results, such as developing research into technologies and tools, to creating a repository for electronic crime and cyber forensics technical papers. As well as me, there are national institutions and agencies around the globe that are trying to do the same.

The most challenging aspect is getting organisations to understand where they are exposed in relation to incident response and forensic procedures. It is  very hard to get an IT administrator to think like an offender, and have him or her keep pace with them.

If we were able to put such infrastructures in place I believe we would all be able to further our knowledge and investigative skills with regard to IT abuse, and in particular hi-tech crimes and the hi-tech criminal.

Encouraging others to establish these foundation stones, along with the thought of legal and financial sanctions, may motivate and cause them to consider the establishment of things like e-crime units, e-crime laboratories and public-private partnerships; especially the later as history shows us that they do work.

What particular aspects of computer crime legislation do you feel could be improved?

Hi-tech crime is committed across cyberspace and does not stop at national borders. More than with any other large-scale crime, the swiftness and flexibility of hi-tech crime leaves our existing rules of regulation and legislation outdated.

Such crimes can be perpetrated from anywhere in the world against any computer and I believe that efficient action to combat it is necessary at not only a local level but also at an international level.

Legislation in most countries has fallen behind; it needs to maintain the same speed of change as Moore's Law. The international legal systems have gone some way to achieving the sixth principle established by G8, commonly known as 'quick freeze, slow thaw'. However the detection and punishment of hi-tech crime is highly likely to remain problematic.

This type of crime is perceived to suffer from an increased tendency to 'legislative dependence'; in other words a long period of time elapsing between innovations in criminal enterprise and the response of the state and law enforcement agencies. Technology, and as a result digital crime, develops and changes very rapidly and it takes years for legislation to be enacted, by which time the crime and criminal will have developed a different form of modus operandi.

As a consequence there are those, including me, who say that many digital crimes and criminals cannot be dealt with appropriately under current legislation and unfortunately this is not likely to change in the near future.

What advice would you give to someone who has just started a career in computer forensics? What qualities do you look for in new colleagues?

What is clear, as a forensic examiner in the public or the private sector is that the procedures, techniques, and guidelines are equally applicable to the collection and examination of digital evidence in internal, civil and criminal investigations. In addition, the emerging case law and regulatory requirements have produced the need for all to preserve data 'by the book'.

This, and the speed with which technology is advancing have far reaching implications for the forensic examiner. It also emphasises the need to assume that evidential data should be dealt with as if it were criminal, and the need to keep up to date with emerging techniques and technologies. As for qualities, I look for someone who combines attention to detail and patience with innovative and practical thinking.

As many computers and servers now have huge amounts of storage, what issues does this set you and your team?

As a unit we are seeing that there is an ever-increasing growth in demand for forensic computer evidence recovery. In addition to the number of conventional desktop computers now in circulation there are also a wide variety of computer storage media available.

The force is unique in that the majority of the computer crime workload is fraud based and as a consequence it involves large and complicated networks and servers. Added to this is the growth in storage space available on hard drives and this capacity continues to grow. It is predicted that within two years home computers will have the capacity to store more data than some of the current City of London Police servers. Capacity means longer retrieval and analysis times.

To quantify this in the future the force has now established aims, objectives and performance indicators, all of which will benefit the direction our investigative strategies take. For example the performance indicators will help present the real workload in terms of the total gigabytes searched, rather than the number of computers submitted for examination each quarter.

What are the pressing issues for the future?

There is a major problem facing the City of London Police in how best to understand and deal with the complex and dynamic developments in the ever-evolving world of the internet and digital information. If we do not as a force invest in the skills necessary to police this ever-changing environment, we will have to contend with playing 'catch-up' in understanding new technologies associated with a range of traditional crimes.

As a force we believe that we are able to give a cost effective way in which to deal with digital and electronic investigations involving hi-tech crimes, especially in relation to those that impact on the financial sector.

To achieve this we commit to training that allows for regular updates, commit to adequate funding and combine it with a commitment to quality, and at the same time we acknowledge the importance of the work, whilst doing this we also endeavour to understand the issues and difficulties associated with it.

As a result we benefit from a valuable tool for investigations and a very cost effective way of achieving good results, whilst being seen to adopt an innovative approach to intelligence analysis and the capacity to deal with the quick and instant changes that occur in the digital world.

Myself and others fully advocate that officers should not be prevented from investigating because of outdated technology and lack of forethought.

More information at: www.cityoflondon.police.uk

This article first appeared in the Winter 09 issue of ISNOW.

January 2009